MontNews.com

Full Article

Did you think Google.com was just a search engine? Well, they do lots of other things, such as, invented a cell phone, mapping and aerial photos.

Now, they have developed a web browser that helps protect your personal information. Your browsing history, cookies and other Internet activity are treated with special care.

Web browsing has become safer with Chrome, Google.com ’s browser. You can download if for free. It’s lightweight on your computer resources but heavy duty on surfing the web. Pages load faster.

There is also an awesome feature that is the antithesis of Microsoft’s Internet Explorer (IE) web browser — secure browsing. Whereas Microsoft tries to track your movements and uses practices that are questionable for your privacy and security, Google has built in features to help protect you. In particular, you can click on the little wrench icon in the upper right hand corner and select, “New incognito window.”

A new browser window opens and tells you:

You’ve gone incognito. Pages you view in this window won’t appear in your browser history or search history, and they won’t leave other traces, like cookies, on your computer after you close the incognito window. Any files you download or bookmarks you create will be preserved, however.

Going incognito doesn’t affect the behavior of other people, servers, or software. Be wary of:
* Websites that collect or share information about you
* Internet service providers or employers that track the pages you visit
* Malicious software that tracks your keystrokes in exchange for free smileys
* Surveillance by secret agents
* People standing behind you

By Joel Hruska | Published: January 13, 2009 – 11:15AM CT

Another year, another form of phishing. This one, I have to admit, is pretty good in terms of potentially fooling a user. Unlike most phishing attack vectors, it doesn’t rely on the victim being ignorant and/or moronic. The new technique has been dubbed “in-session” phishing and it stays out of your e-mail altogether.

Related StoriesStudy: PEBKAC still a serious problem when it comes to PC security
Twishing attacks steal data in 140 characters or less
Report: Many evils lurk in the “dark corners” of the Internet
Google opens up malware blacklist API
Security researchers with Trusteer have published a report (PDF) on this new type of phishing along with a suitably vague description of how the attack works. As its name implies, in-session phishing requires that the victim first log into a secure website; Trusteer uses an online bank site as one example of a tasty target.

Here’s how the attack works: A user legitimately logs into his bank, authenticates, and then does whatever he logged in to do. Once finished, he opens another browser tab (or browser window) and leaves the bank website open. Shortly thereafter, he encounters a website that has been injected with the malicious code in question. Once run, the malware creates a pop-up (supposedly from the bank or secure site that’s still open in another tab or window. The “authentic” pop-up prompts the user to enter his login credentials again in order to resume the session. Trusteer notes that the attack could be used to present different types of lures including online surveys or mini-flash games (punch the Yeti, enter your personal data, and win a free Llama!).

In order for the attack to function, Trusteer states that two conditions must be met. First, a website must be compromised and infected—the higher traffic the better, obviously. Secondly, the downloaded malware must be able to identify whether or not the unknowing carrier is logged into a relevant website. Trusteer does not state how long the window of opportunity is open for this particular attack to execute, but does note that the malware infection is temporary.

Trusteer explains how the bug works. It is present in the JavaScript engine used by popular browsers like IE, Firefox, and Safari, as well as Chrome, and allows a site to determine whether a user is also logged into another site.

The source of the vulnerability is a specific JavaScript function. When this function is called it leaves a temporary footprint on the computer and any other website can identify this footprint. Websites that use this function in a certain way are traceable. Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced.

The researchers recommend that users and companies deploy appropriate web security tools (which the company happens to sell), immediately log out of any secure sites once you’ve finished your tasks (good advice), and to be extremely wary of pop-ups that randomly drop in if you haven’t clicked anything.

The JavaScript vulnerability that Trusteer has discovered obviously needs patching, but in-session phishing doesn’t appear to be a major threat. In order to function successfully, the malware requires that a user have simultaneous browser windows open to both a login/secure site and an infected site, and that the secure site is on the malware’s pregenerated list of targets. There are some rather simple ways for banks and other targeted institutions to fight back; options include rapid disconnects if a user becomes idle and prominent notifications of the company’s login policy.

Many companies (Blizzard and AOL come to mind) prominently and repeatedly inform customers that neither the company nor its representatives will ever, ever, ask a user to disclose their password. A similar warning against in-session phishing might state that the company will never ask users to log in via a pop-up or any third-party service. Between currently available solutions and inevitable patches, I think in-session phishing is going to find its nets mostly empty.